When an inbound message arrives, validate its reported length before propagating it, otherwise buggy (or malicious) remote processors might trick us into accessing memory which we really shouldn't.
Signed-off-by: Ohad Ben-Cohen <[email protected]> Cc: Grant Likely <[email protected]> Cc: Arnd Bergmann <[email protected]> Cc: Mark Grosen <[email protected]> Cc: Suman Anna <[email protected]> Cc: Fernando Guzman Lugo <[email protected]> Cc: Rob Clark <[email protected]> Cc: Ludovic BARRE <[email protected]> Cc: Loic PALLARDY <[email protected]> Cc: Omar Ramirez Luna <[email protected]> --- drivers/rpmsg/virtio_rpmsg_bus.c | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) diff --git a/drivers/rpmsg/virtio_rpmsg_bus.c b/drivers/rpmsg/virtio_rpmsg_bus.c index 4db9cf8..1e8b8b6 100644 --- a/drivers/rpmsg/virtio_rpmsg_bus.c +++ b/drivers/rpmsg/virtio_rpmsg_bus.c @@ -778,6 +778,16 @@ static void rpmsg_recv_done(struct virtqueue *rvq) print_hex_dump(KERN_DEBUG, "rpmsg_virtio RX: ", DUMP_PREFIX_NONE, 16, 1, msg, sizeof(*msg) + msg->len, true); + /* + * We currently use fixed-sized buffers, so trivially sanitize + * the reported payload length. + */ + if (len > RPMSG_BUF_SIZE || + msg->len > (len - sizeof(struct rpmsg_hdr))) { + dev_warn(dev, "inbound msg too big: (%d, %d)\n", len, msg->len); + return; + } + /* use the dst addr to fetch the callback of the appropriate user */ mutex_lock(&vrp->endpoints_lock); ept = idr_find(&vrp->endpoints, msg->dst); -- 1.7.5.4 -- To unsubscribe from this list: send the line "unsubscribe linux-omap" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
